2020-03-18 - GERMAN MALSPAM PUSHES URSNIF (GOZI/IFSB)

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• 2020-03-18-Ursnif-IOCs.txt.zip   1.1 kB (1,140 bytes)

• 2020-03-18-Ursnif-IOCs.txt   (1,812 bytes)

• 2020-03-18-example-of-German-malspam-pushing-Ursnif.eml.zip   43.3 kB (43,304 bytes)

• 2020-03-18-example-of-German-malspam-pushing-Ursnif.eml   (57,701 bytes)

• 2020-03-18-Ursnif-infection-from-German-malspam-attachment.pcap.zip   727 kB (727,019 bytes)

• 2020-03-18-Ursnif-infection-from-German-malspam-attachment.pcap   (1,049,377 bytes)

• 2020-03-18-malware-and-artifacts-from-Ursnif-infection.zip   2.3 MB (2,346,446 bytes)

• 2020-03-18-Ursnif-DLL-retrieved-by-Word-macro.bin   (870,400 bytes)
• 2020-03-18-Word-doc-with-macro-for-Ursnif.bin   (68,096 bytes)
• 2020-03-18-password-protected-zip-archive-for-Ursnif-password-111.zip   (40,243 bytes)
• 2020-03-18-regsitry-update-caused-by-Ursnif.txt   (4,630,804 bytes)

NOTES:

• On Monday 2020-03-16, an English-language wave of this malspam pushed IcedID instead of Ursnif (link).
• However, today this German-language wave pushed Ursnif (Gozi/IFSB) as usual.
• Chain of events: malspam --> password-protected zip attachment --> extracted Word doc --> enable macros --> Ursnif

 

IMAGES

Shown above:  Screenshot of an example of malspam from today's wave.

 

Shown above:  Word document extracted from the password-protected zip archive.

 

Shown above:  Traffic from an infection filtered in Wireshark.

 

Shown above:  Ursnif DLL retrieved by the Word macro.

 

Shown above:  Registry updates to keep Ursnif persistent on an infected Windows host.

 

Click here to return to the main page.